What about dependency resolution à la apt?

What about dependency resolution à la apt?

[Amirouche]

Héllo,

AFAIU guix does hardcode the dependencies so that to know the dependencies
one has onlytocrawl the dependency DAG using a BFS or something. I don't
know what is the exact part in guix that does that. It's only my 
understanding.

What about having apt-like dependency resolution, also like npm where 
version
are specified in terms of "superior to", "equal to" taking advantage of 
semantic
versionning?

tx!

Re: What about dependency resolution à la apt?

[Tobias Geerinckx-Rice]

[-- Attachment #1.1: Type: text/plain, Size: 2032 bytes --]

Amirouche,

On 16/03/17 19:52, Amirouche wrote:
> Héllo,

Hi!

I'm not the most technically qualified person to answer this, nor the
most articulate, but I'm mainly curious and slightly puzzled as to why
this question keeps popping up. I hope others will join in, since I fear
this hints at some fundamental misunderstandings about Guix that might
hurt world d^W^W adoption.

> AFAIU guix does hardcode the dependencies so that to know the
> dependencies one has onlytocrawl the dependency DAG using a BFS or
> something. I don't know what is the exact part in guix that does
> that. It's only my understanding.

This doesn't happen.[1]

It takes some getting used to when you're used to old-school package
managers where the resolver is A Big Deal, or even The Biggest Deal:
Gentoo, anyone?

But one of the many great things about functional package management à
la Nix/Guix is that you don't need — or want — a dependency resolver. At
all. That eliminates a lot of nasty problems, and makes others much
easier to solve.

Huge Deal.

> What about having apt-like dependency resolution, also like npm
> where version are specified in terms of "superior to", "equal to"
> taking advantage of semantic versionning?[2]

Guix already does ‘equal to’ better than anyone. Bit-identical, even.

What does ‘superior to’ mean? Why not just specify the latest version
that works? What's to gain by throwing uncertainty back into the game?

Kind regards,

T G-R

[1]: In Guix. Correct me if I'm wrong.

I'm ignoring the importer, which may eventually need to ‘solve’ things
like npm version constraints when first importing npm packages. *shrugs*

[2]: Side rant: the myth of semantic versioning needs to die.

It tries to solve the problem of downstream machines playing a guessing
game that's doomed to break (i.e. ‘apt-like dependency resolution’), by
making upstream humans play a different guessing game.

There is simply nothing there to take advantage of.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 476 bytes --]

Re: What about dependency resolution à la apt?

[Thompson, David]

Hi Tobias,

On Thu, Mar 16, 2017 at 4:28 PM, Tobias Geerinckx-Rice <me@tobias.gr> wrote:
> Amirouche,
>
> On 16/03/17 19:52, Amirouche wrote:
>> Héllo,
>
> Hi!
>
> I'm not the most technically qualified person to answer this, nor the
> most articulate, but I'm mainly curious and slightly puzzled as to why
> this question keeps popping up. I hope others will join in, since I fear
> this hints at some fundamental misunderstandings about Guix that might
> hurt world d^W^W adoption.

A big +1 from me.  I wanted to write something similar but you summed
it up better than I would have.  Thanks!

- Dave

Re: What about dependency resolution à la apt?

[Tobias Geerinckx-Rice]

[-- Attachment #1.1: Type: text/plain, Size: 278 bytes --]

On 16/03/17 21:28, Tobias Geerinckx-Rice wrote:
> [2]: Side rant: the myth of semantic versioning needs to die.
> [...]
> There is simply nothing there to take advantage of.

To be taken with a grain of salt, but no more than one.

Old man yells at packages,

T G-R


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 476 bytes --]

Re: What about dependency resolution à la apt?

[Amirouche]

Le 16/03/2017 à 21:28, Tobias Geerinckx-Rice a écrit :
> Amirouche,
>
> On 16/03/17 19:52, Amirouche wrote:
>> Héllo,
> Hi!
>
> I'm not the most technically qualified person to answer this, nor the
> most articulate, but I'm mainly curious and slightly puzzled as to why
> this question keeps popping up.

Sorry!

> I hope others will join in, since I fear
> this hints at some fundamental misunderstandings about Guix that might
> hurt world d^W^W adoption.

Maybe patch the FAQ?

>
>> AFAIU guix does hardcode the dependencies so that to know the
>> dependencies one has onlytocrawl the dependency DAG using a BFS or
>> something. I don't know what is the exact part in guix that does
>> that. It's only my understanding.
> This doesn't happen.[1]
>
> It takes some getting used to when you're used to old-school package
> managers where the resolver is A Big Deal, or even The Biggest Deal:
> Gentoo, anyone?

Yes.. But autoconf does the same, it specify some dependency
that can match patch or minor version number.

> But one of the many great things about functional package management à
> la Nix/Guix is that you don't need — or want — a dependency resolver. At
> all. That eliminates a lot of nasty problems, and makes others much
> easier to solve.
>
> Huge Deal.
>
>> What about having apt-like dependency resolution, also like npm
>> where version are specified in terms of "superior to", "equal to"
>> taking advantage of semantic versionning?[2]
> Guix already does ‘equal to’ better than anyone. Bit-identical, even.

That's is off topic?

Re: What about dependency resolution à la apt?

[Tobias Geerinckx-Rice]

[-- Attachment #1.1: Type: text/plain, Size: 2964 bytes --]

Amirouche,

On 16/03/17 21:56, Amirouche wrote:
> Le 16/03/2017 à 21:28, Tobias Geerinckx-Rice a écrit :
>> [...] I'm mainly curious and slightly puzzled as to why
>> this question keeps popping up.
> 
> Sorry!

Not at all. Thanks for making me think about this some more and put my
thoughts into words.

You're the poor sod who has to read them.

>> I hope others will join in, since I fear
>> this hints at some fundamental misunderstandings about Guix that might
>> hurt world d^W^W adoption.
> 
> Maybe patch the FAQ?

I don't even grok the question! :-)

Nor did I know that Guix had a FAQ. Also, the rest of this e-mail should
illustrate why I am not the person to concisely and clearly answer anything.

>> It takes some getting used to when you're used to old-school package
>> managers where the resolver is A Big Deal, or even The Biggest Deal:
>> Gentoo, anyone?
> 
> Yes.. But autoconf does the same, it specify some dependency
> that can match patch or minor version number.

...yyyes. That is true? But...?

I'm afraid I still can't see how this relates to Guix.

Build systems like autotools and package managers like apt and npm hail
from a hostile and fragile world: in general, packages are installed
into a single, shared root filesystem, from constantly updating global
repository.

Oh, and you can hardly ever install more than one version of a package
at a time. And some packages flatly refuse to coexist with others.

In this world, dependencies do indeed need to be ‘resolved’: “Yo, apt,
go fetch a libfoo from the pile that's at least this new (but not part
of the 2.x series!) without breaking these 463 other packages.”

The[1] correct solution may involve up- or downgrading many other
packages, or even removing conflicting ones. All nicely taken care of by
the package manager. Until it breaks. I call it ‘Ubuntu’.

In Guix, installing one package doesn't touch any other package. There
are no conflicts. Package specifications aren't secretly queries with 0
or more matches like in apt, but unambiguous identifiers.

Guix doesn't play fetch. It can't. You tell it exactly which package to
use — and that's a feature.

Perhaps this is where the confusion arises: ‘exactly which packages’
does not mean ‘libfoo == 1.4’. It means ‘this store entry containing
exactly this build of libfoo.’ Maybe it is libfoo 1.4. Maybe it's
patched to hell. It doesn't even matter: the resulting system either
works, or it doesn't.

Phew. Sorry. I warned you.

>> Guix already does ‘equal to’ better than anyone. Bit-identical, even.
> 
> That's is off topic?

Not at all. When you suggest ‘dependency resolution’, you have to think
carefully about what that means and how it would affect this key property.

Anyway, I'll leave the floor to others now.

Kind regards,

T G-R

[1]: ‘A’. This stuff is insanely non-deterministic.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 476 bytes --]

Re: What about dependency resolution à la apt?

[Ludovic Courtès]

Howdy Amirouche!

Amirouche <amirouche@hypermove.net> skribis:

> Le 16/03/2017 à 21:28, Tobias Geerinckx-Rice a écrit :
>> Amirouche,
>>
>> On 16/03/17 19:52, Amirouche wrote:
>>> Héllo,
>> Hi!
>>
>> I'm not the most technically qualified person to answer this, nor the
>> most articulate, but I'm mainly curious and slightly puzzled as to why
>> this question keeps popping up.
>
> Sorry!

No problem, there’s nothing wrong with your question.

The key point in Tobias’ message is this:

>> But one of the many great things about functional package management à
>> la Nix/Guix is that you don't need — or want — a dependency resolver. At
>> all. That eliminates a lot of nasty problems, and makes others much
>> easier to solve.

Tools like apt allow developers to describe a (very large) set of
possible dependency graphs, which the dependency resolver tries hard to
narrow down to something reasonable.

Conversely, functional package managers describe just one dependency
graph.  The downside is the “security update” scenario, though we
address it with grafts¹, and the huge advantage is that we get tractable
build processes and package composition.

HTH!

Ludo’.

¹ https://gnu.org/s/guix/news/timely-delivery-of-security-updates.html

Re: What about dependency resolution à la apt?

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 2149 bytes --]

ludo@gnu.org (Ludovic Courtès) writes:

> Howdy Amirouche!
>
> Amirouche <amirouche@hypermove.net> skribis:
>
>> Le 16/03/2017 à 21:28, Tobias Geerinckx-Rice a écrit :
>>> Amirouche,
>>>
>>> On 16/03/17 19:52, Amirouche wrote:
>>>> Héllo,
>>> Hi!
>>>
>>> I'm not the most technically qualified person to answer this, nor the
>>> most articulate, but I'm mainly curious and slightly puzzled as to why
>>> this question keeps popping up.
>>
>> Sorry!
>
> No problem, there’s nothing wrong with your question.
>
> The key point in Tobias’ message is this:
>
>>> But one of the many great things about functional package management à
>>> la Nix/Guix is that you don't need — or want — a dependency resolver. At
>>> all. That eliminates a lot of nasty problems, and makes others much
>>> easier to solve.
>
> Tools like apt allow developers to describe a (very large) set of
> possible dependency graphs, which the dependency resolver tries hard to
> narrow down to something reasonable.
>
> Conversely, functional package managers describe just one dependency
> graph.  The downside is the “security update” scenario, though we
> address it with grafts¹, and the huge advantage is that we get tractable
> build processes and package composition.
>
> HTH!
>
> Ludo’.
>
> ¹ https://gnu.org/s/guix/news/timely-delivery-of-security-updates.html

Amirouche, your question is a perfectly natural one to ask.  If you're
hungry for additional information regarding this interesting topic,
consider reading the introduction to Eelco Dolstra's Nix thesis [1].  In
the first 17 pages, he describes the main issues in the field of
software deployment, surveys the state of the art (as of August 2006)
while pointing out the unsolved problems, and summarizes how Nix (and
thus Guix, which uses Nix) solves those problems.

Section 1.2 is of particular interest.  In it, Eelco explains why the
practice of specifying dependencies by name (even when a version is
included) is insufficient for correct deployment of software.

[1] https://nixos.org/%7Eeelco/pubs/phd-thesis.pdf

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]